ADFS & MOSS 2007 troubles

Hi Joe,
Well, have double checked and played around with a number of
variations and I can't make it work. I keep getting the "duplicate
request" problem (actually says Infinite loop in the adfs log).
I am pretty sure the adfs side of things is working, as my login gets
resolved properly (again checking the log).

I am just going to show what I am doing in case there is an obvious
mistake:

Single server : ServerA with Sharepoint 2007 and ADFS installed in my
domainB
I have a web app WebappA with SSL only on port 83, ADFS web agents
installed via IIS
cookie path "/"
cookie domain ""
return url "https://ServerA.domainB:83/
Federation service URL : https://ServerA.domainB/adfs/fs/
federationserverservice.asmx

In ADFS, I have set up a trust policy:
Federation Service URI : urn:federation:ServerA
Endpoint : https://ServerA.domainB/adfs/ls
My Organisation has a UPN indentity claim and AD as account store
Finally I have defined an application "ServerA Token", URL https://
serverA.domainB:83/

The corresponding elements in WebappA's web config match.

My goal is to set up different web apps (eg WebappB at https://
serverA.domainB:85) and be able to share a login amongst them, ie:
browse to https://serverA.domainB:83/, login and access site
then browse to https://ServerA.domainB:85 and access site without
logging in.

Is that model supported? I would imagine that ADFS needs to share the
cookie between WebappA and webappB . I had understood from this post
and other sources that this was achievable. Am I barking up the wrong
tree? Here I am trying to use a common authentication store for two
webapps. Is the model that I can use two authentication stores for one
web app? Or doesn't t matter. I guess I am a little confused.

If you can help, I'd be really grateful.

Thanks

Mark

On Jan 19, 6:18 pm, "Joe Kaplan"
<joseph.e.kap...@removethis.accenture.com> wrote:
> Drop me a note offline and I'll send you the experimental
> "ActiveDirectoryRoleProvider" that Ryan (my coauthor) wrote. You are
> welcome to play with it if you want.
>
> I totally understand about the not wanting to call PSS thing; it is a pain.
> Unfortunately, you have no recourse unless you can convince someone to send
> you the hotfix via email. I don't have it (yet), so don't ask. :)
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
> --<mah...@gmail.com> wrote in message
>
> news:1169221227.501515.265970@38g2000cwa.googlegroups.com...
>
> > Hi Joe,
> > I'm only concerned in that getting payments made for such things in my
> > organisation is not straightforward ;)
> > We have an educational support contract as well, but from a pragmatic
> > point of view, I was just trying to find a way with the least
> > bureaucracy!
> > We also have a test domain that I can access to set upADFSon a second
> > server. I'll try that before going through support.
>
> > BTW, you reference in other postings about a custom LDAP membership
> > provider. Did you say you would make the source available onrequest? I
> > am about to start down that route using Steven Fowler's stub. I would
> > like to use the provider to import profiles so that my FBA users can
> > get MySites etc. We have ActiveDirectory, but WIA is no good for us as
> > we have to support Macs and remote users.
> > Can you confirm that this possible?
>
> > Thanks
>
> > Mark
>
> > Joe Kaplan wrote:
> >> Note that published bug fixes requested from PSS don't cost you anything,
> >> even if they initially ask you for a credit card or something. It is
> >> just a
> >> procedure. Some bug fixes are tracked carefully by PSS and are not made
> >> available for general download, but MS doesn't charge anyone for them.
> >> Hopefully you aren't concerned about that. :)
>
> >> Joe K.
>
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming"
> >>http://www.directoryprogramming.net
> >> --
> >> <mah...@gmail.com> wrote in message
> >>news:1169195561.280714.145400@11g2000cwr.googlegroups.com...
> >> > Hi,
> >> > I see you have to go through PSS to get this - have you done that?
> >> > Thanks
> >> > Mark
>
> >> > verukins wrote:
> >> >> Hi Mark,
> >> >> Almost like magic, a hotfix was recently released.... to
> >> >> address moss 2007/ADFSissues...
>
> >> >>http://support.microsoft.com/kb/920764/en-us

Ah, you can't do what you want to do by splitting out your sites based on
the port. The problem is that the browser doesn't make a distinction
between servera.domainb:83 and servera.domainb:84 and will replay any cookie
set for servera.domainb to all of them. Since ADFS uses the same cookie
name for the auth cookie (_webSSOAuth), your different apps will get each
other's cookies. That causes issues like "incorrect SAML audience" and
such. This isn't really the fault of ADFS. It is just how browsers handle
cookies and is part of the spec.

You need to either fire up new host names for each app and get different
certs or split off the apps by virtual directory and make sure you have no
overlap in your cookie path. Basically, you could do:

servera.domainb/app1
servera.domainb/app2
servera.domainb.app3

and make sure the cookie paths for each app are /app1, /app2, /app3, etc.

When doing token apps, you don't configure anything in web.config. It is
all done in IIS Manager.

Thanks for the additional explanation. I hope this makes sense.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<mah624@gmail.com> wrote in message
news:1170860973.840606.93830@m58g2000cwm.googlegroups.com...
> Hi Joe,
> Well, have double checked and played around with a number of
> variations and I can't make it work. I keep getting the "duplicate
> request" problem (actually says Infinite loop in the adfs log).
> I am pretty sure the adfs side of things is working, as my login gets
> resolved properly (again checking the log).
>
> I am just going to show what I am doing in case there is an obvious
> mistake:
>
> Single server : ServerA with Sharepoint 2007 and ADFS installed in my
> domainB
> I have a web app WebappA with SSL only on port 83, ADFS web agents
> installed via IIS
> cookie path "/"
> cookie domain ""
> return url "https://ServerA.domainB:83/
> Federation service URL : https://ServerA.domainB/adfs/fs/
> federationserverservice.asmx
>
> In ADFS, I have set up a trust policy:
> Federation Service URI : urn:federation:ServerA
> Endpoint : https://ServerA.domainB/adfs/ls
> My Organisation has a UPN indentity claim and AD as account store
> Finally I have defined an application "ServerA Token", URL https://
> serverA.domainB:83/
>
> The corresponding elements in WebappA's web config match.
>
> My goal is to set up different web apps (eg WebappB at https://
> serverA.domainB:85) and be able to share a login amongst them, ie:
> browse to https://serverA.domainB:83/, login and access site
> then browse to https://ServerA.domainB:85 and access site without
> logging in.
>
> Is that model supported? I would imagine that ADFS needs to share the
> cookie between WebappA and webappB . I had understood from this post
> and other sources that this was achievable. Am I barking up the wrong
> tree? Here I am trying to use a common authentication store for two
> webapps. Is the model that I can use two authentication stores for one
> web app? Or doesn't t matter. I guess I am a little confused.
>
> If you can help, I'd be really grateful.
>
> Thanks
>
> Mark
>
> On Jan 19, 6:18 pm, "Joe Kaplan"
> <joseph.e.kap...@removethis.accenture.com> wrote:
>> Drop me a note offline and I'll send you the experimental
>> "ActiveDirectoryRoleProvider" that Ryan (my coauthor) wrote. You are
>> welcome to play with it if you want.
>>
>> I totally understand about the not wanting to call PSS thing; it is a
>> pain.
>> Unfortunately, you have no recourse unless you can convince someone to
>> send
>> you the hotfix via email. I don't have it (yet), so don't ask. :)
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"http://www.directoryprogramming.net
>> --<mah...@gmail.com> wrote in message
>>
>> news:1169221227.501515.265970@38g2000cwa.googlegroups.com...
>>
>> > Hi Joe,
>> > I'm only concerned in that getting payments made for such things in my
>> > organisation is not straightforward ;)
>> > We have an educational support contract as well, but from a pragmatic
>> > point of view, I was just trying to find a way with the least
>> > bureaucracy!
>> > We also have a test domain that I can access to set upADFSon a second
>> > server. I'll try that before going through support.
>>
>> > BTW, you reference in other postings about a custom LDAP membership
>> > provider. Did you say you would make the source available onrequest? I
>> > am about to start down that route using Steven Fowler's stub. I would
>> > like to use the provider to import profiles so that my FBA users can
>> > get MySites etc. We have ActiveDirectory, but WIA is no good for us as
>> > we have to support Macs and remote users.
>> > Can you confirm that this possible?
>>
>> > Thanks
>>
>> > Mark
>>
>> > Joe Kaplan wrote:
>> >> Note that published bug fixes requested from PSS don't cost you
>> >> anything,
>> >> even if they initially ask you for a credit card or something. It is
>> >> just a
>> >> procedure. Some bug fixes are tracked carefully by PSS and are not
>> >> made
>> >> available for general download, but MS doesn't charge anyone for them.
>> >> Hopefully you aren't concerned about that. :)
>>
>> >> Joe K.
>>
>> >> --
>> >> Joe Kaplan-MS MVP Directory Services Programming
>> >> Co-author of "The .NET Developer's Guide to Directory Services
>> >> Programming"
>> >>http://www.directoryprogramming.net
>> >> --
>> >> <mah...@gmail.com> wrote in message
>> >>news:1169195561.280714.145400@11g2000cwr.googlegroups.com...
>> >> > Hi,
>> >> > I see you have to go through PSS to get this - have you done that?
>> >> > Thanks
>> >> > Mark
>>
>> >> > verukins wrote:
>> >> >> Hi Mark,
>> >> >> Almost like magic, a hotfix was recently released....
>> >> >> to
>> >> >> address moss 2007/ADFSissues...
>>
>> >> >>http://support.microsoft.com/kb/920764/en-us
>
>

Hi Joe,
Thanks for the explanation. That does make some sense. I had a feeling
that I couldn't perform a reasonable test in my test environment (a
single virtual PC!). I guess I can spend some more time setting up in
the way you describe.
Thanks again for your help.
Mark
On Feb 7, 4:41 pm, "Joe Kaplan"
<joseph.e.kap...@removethis.accenture.com> wrote:
> Ah, you can't do what you want to do by splitting out your sites based on
> the port. The problem is that the browser doesn't make a distinction
> between servera.domainb:83 and servera.domainb:84 and will replay any cookie
> set for servera.domainb to all of them. SinceADFSuses the same cookie
> name for the auth cookie (_webSSOAuth), your different apps will get each
> other's cookies. That causes issues like "incorrect SAML audience" and
> such. This isn't really the fault ofADFS. It is just how browsers handle
> cookies and is part of the spec.
>
> You need to either fire up new host names for each app and get different
> certs or split off the apps by virtual directory and make sure you have no
> overlap in your cookie path. Basically, you could do:
>
> servera.domainb/app1
> servera.domainb/app2
> servera.domainb.app3
>
> and make sure the cookie paths for each app are /app1, /app2, /app3, etc.
>
> When doing token apps, you don't configure anything in web.config. It is
> all done in IIS Manager.
>
> Thanks for the additional explanation. I hope this makes sense.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
> --<mah...@gmail.com> wrote in message
>
> news:1170860973.840606.93830@m58g2000cwm.googlegroups.com...
>
> > Hi Joe,
> > Well, have double checked and played around with a number of
> > variations and I can't make it work. I keep getting the "duplicate
> > request" problem (actually says Infinite loop in theadfslog).
> > I am pretty sure theadfsside of things is working, as my login gets
> > resolved properly (again checking the log).
>
> > I am just going to show what I am doing in case there is an obvious
> > mistake:
>
> > Single server : ServerA with Sharepoint 2007 andADFSinstalled in my
> > domainB
> > I have a web app WebappA with SSL only on port 83,ADFSweb agents
> > installed via IIS
> > cookie path "/"
> > cookie domain ""
> > return url "https://ServerA.domainB:83/
> > Federation service URL :https://ServerA.domainB/adfs/fs/
> > federationserverservice.asmx
>
> > InADFS, I have set up a trust policy:
> > Federation Service URI : urn:federation:ServerA
> > Endpoint :https://ServerA.domainB/adfs/ls
> > My Organisation has a UPN indentity claim and AD as account store
> > Finally I have defined an application "ServerA Token", URL https://
> > serverA.domainB:83/
>
> > The corresponding elements in WebappA's web config match.
>
> > My goal is to set up different web apps (eg WebappB at https://
> > serverA.domainB:85) and be able to share a login amongst them, ie:
> > browse tohttps://serverA.domainB:83/, login and access site
> > then browse tohttps://ServerA.domainB:85and access site without
> > logging in.
>
> > Is that model supported? I would imagine thatADFSneeds to share the
> > cookie between WebappA and webappB . I had understood from this post
> > and other sources that this was achievable. Am I barking up the wrong
> > tree? Here I am trying to use a common authentication store for two
> > webapps. Is the model that I can use two authentication stores for one
> > web app? Or doesn't t matter. I guess I am a little confused.
>
> > If you can help, I'd be really grateful.
>
> > Thanks
>
> > Mark
>
> > On Jan 19, 6:18 pm, "Joe Kaplan"
> > <joseph.e.kap...@removethis.accenture.com> wrote:
> >> Drop me a note offline and I'll send you the experimental
> >> "ActiveDirectoryRoleProvider" that Ryan (my coauthor) wrote. You are
> >> welcome to play with it if you want.
>
> >> I totally understand about the not wanting to call PSS thing; it is a
> >> pain.
> >> Unfortunately, you have no recourse unless you can convince someone to
> >> send
> >> you the hotfix via email. I don't have it (yet), so don't ask. :)
>
> >> Joe K.
>
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming"http://www.directoryprogramming.net
> >> --<mah...@gmail.com> wrote in message
>
> >>news:1169221227.501515.265970@38g2000cwa.googlegroups.com...
>
> >> > Hi Joe,
> >> > I'm only concerned in that getting payments made for such things in my
> >> > organisation is not straightforward ;)
> >> > We have an educational support contract as well, but from a pragmatic
> >> > point of view, I was just trying to find a way with the least
> >> > bureaucracy!
> >> > We also have a test domain that I can access to set upADFSon a second
> >> > server. I'll try that before going through support.
>
> >> > BTW, you reference in other postings about a custom LDAP membership
> >> > provider. Did you say you would make the source available onrequest? I
> >> > am about to start down that route using Steven Fowler's stub. I would
> >> > like to use the provider to import profiles so that my FBA users can
> >> > get MySites etc. We have ActiveDirectory, but WIA is no good for us as
> >> > we have to support Macs and remote users.
> >> > Can you confirm that this possible?
>
> >> > Thanks
>
> >> > Mark
>
> >> > Joe Kaplan wrote:
> >> >> Note that published bug fixes requested from PSS don't cost you
> >> >> anything,
> >> >> even if they initially ask you for a credit card or something. It is
> >> >> just a
> >> >> procedure. Some bug fixes are tracked carefully by PSS and are not
> >> >> made
> >> >> available for general download, but MS doesn't charge anyone for them.
> >> >> Hopefully you aren't concerned about that. :)
>
> >> >> Joe K.
>
> >> >> --
> >> >> Joe Kaplan-MS MVP Directory Services Programming
> >> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> >> Programming"
> >> >>http://www.directoryprogramming.net
> >> >> --
> >> >> <mah...@gmail.com> wrote in message
> >> >>news:1169195561.280714.145400@11g2000cwr.googlegroups.com...
> >> >> > Hi,
> >> >> > I see you have to go through PSS to get this - have you done that?
> >> >> > Thanks
> >> >> > Mark
>
> >> >> > verukins wrote:
> >> >> >> Hi Mark,
> >> >> >> Almost like magic, a hotfix was recently released....
> >> >> >> to
> >> >> >> addressmoss2007/ADFSissues...
>
> >> >> >>http://support.microsoft.com/kb/920764/en-us

Use a hosts file to define a bunch of fake host names and create new certs
for them. You'll still need to put the apps on different ports as you'll
likely need to use the same IP address, but that should at least fool the
browser into keeping the cookies straight.

Alternately, you can just use the virtual directories approach. I think
that might be easiest.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<mah624@gmail.com> wrote in message
news:1170928449.109590.208170@k78g2000cwa.googlegroups.com...
> Hi Joe,
> Thanks for the explanation. That does make some sense. I had a feeling
> that I couldn't perform a reasonable test in my test environment (a
> single virtual PC!). I guess I can spend some more time setting up in
> the way you describe.
> Thanks again for your help.
> Mark